Legal

Data Processing Clauses complementing
TRACKFORCE’s Terms and Conditions

Updated September 1st, 2022

Data Processing Clauses complementing

TRACKFORCE’s Terms and Conditions

Updated September 1st, 2022

The software solutions marketed by Trackforce are designed and developed internally, without any use of subcontracting. However, Trackforce may need to approach third-party companies for certain services such as data hosting or the provision of dedicated software such as customer relationship management, sales management, sales force, production management, or project management.

These Data Processing Clauses therefore define the conditions under which Trackforce may either entrust these types of services to Processors, or execute itself, as a Processor, the services on behalf of the Client as Controller according to the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018 (hereinafter the “UK GDPR”).

As a result, these Data  Processing Clauses supplement the Trackforce Terms and Conditions (hereinafter the “T&C”) as set out below.

Clause no. 1: Subcontracting between TRACKFORCE and third party subcontractors

The Client expressly authorizes TRACKFORCE to subcontract all or part of the services stipulated in the T&C to any third party subcontractor of its choice.

The purchase by the Client of the Goods listed and marketed in the TRACKFORCE’s T&C implies acceptance by the Client of the Subcontractor’s terms and conditions of services.

It is TRACKFORCE’s responsibility to ensure that the chosen Subcontractor provides sufficient guarantees for the implementation of appropriate technical and organisational measures to ensure that the processing meets the requirements of the UK GDPR.

Clause no. 2: Subcontracting between TRACKFORCE and the Client

Pursuant to this article 2, TRACKFORCE is the Processor and the Client is the Controller as defined in the UK GDPR for all personal data processed by TRACKFORCE on behalf of the Client pursuant to TRACKFORCE’s T&C.

Clause no. 2-1: Subject

The purpose of this Clause 2.1 and its subsections is to define the conditions under which TRACKFORCE (acting as Processor) undertakes to perform on behalf of the Client (acting as Controller) the personal data processing operations defined below.

As part of their contractual relations, the Parties undertake to respect the regulations in force applicable to the processing of personal data and, in particular, the mandatory UK GDPR as of 23 May, 2018.

Clause no. 2-2: Processing on instructions

TRACKFORCE and any person acting under its authority, having access to the Client’s personal data, undertake to process such data only on the Client’s documented instructions, including, if need be, the transfer of such data to a third country or to an international organisation, unless TRACKFORCE is required to do so under the United Kingdom law or any other relevant legislation to which TRACKFORCE is subject. In this case, TRACKFORCE informs the Client of this legal obligation prior to processing, unless the law concerned prohibits such information for important reasons of public interest.

TRACKFORCE will inform the Client immediately if, according to TRACKFORCE, a Client’s instruction constitutes a breach of the United Kingdom law or any other relevant legislation relating to the protection of personal data.

Clause no. 2-3: Description of the processing

TRACKFORCE is authorized to process on behalf of the Client the personal data necessary to provide the service(s) defined by mutual agreement between the Parties, including the duration of the processing, its nature and purpose, its type and the categories of individuals concerned, and the obligations and rights of the Client as Controller.

Clause no. 2-4: Obligations of the TRACKFORCE (as Processor) to the Client (as Controller)

As Processor for the data involved in the Subcontracting, TRACKFORCE undertakes to:

  • Process the personal data in question only for the sole purpose(s) which is/are the subject of the processing.
  • Process the data in accordance with the documented instructions of the Client as Controller.
  • Guarantee the confidentiality of the personal data processed.
  • Ensure that persons authorized to process personal data under this agreement (i) undertake to respect confidentiality or are subject to an appropriate legal duty of confidentiality and (ii) receive the necessary training in the protection of personal data.
  • Take into account, in terms of tools, products, applications or services, the principles of data protection by design and data protection by default.

Clause no. 2-5: Sub-processing

As Processor for data involved in the contract between the Parties, TRACKFORCE may use another Processor (hereinafter, the “sub-processor”) to conduct specific processing activities.

In this case, TRACKFORCE informs the Controller in advance and in writing of any proposed change regarding the addition or replacement of other sub-processsor. This information must clearly indicate the sub-processed activities, the sub-processor’s identity and contact information, and the dates of the sub-processing agreement. The Controller has a period of 10 (ten) days from the date of receipt of this information to present his objections. This sub-processing can only be done if the Controller has not objected within the agreed period.

The sub-processor is required to comply with the obligations of this agreement on behalf of and in accordance with the Controller’s instructions. It is the responsibility of the Processor to ensure that the sub-processor provides sufficient guarantees for the implementation of appropriate technical and organisational measures to ensure that the processing meets the requirements of the UK GDPR. If the sub-processor does not fulfil its data protection obligations, the Processor remains fully responsible to the Controller for performance of its obligations.

Clause no. 2-6: Right of information of the data subjects

It is the responsibility of the Client as Controller to provide information to data subjects involved in the processing operations at the time of data collection.

Clause no. 2-7: Exercising personal data rights

Whenever possible, TRACKFORCE, as Processor, will assist the Client as Controller in fulfilling his obligation to respond to requests for exercise of the rights of data subjects: right of access, rectification, erasure and deletion, right to object, right to restrict processing, right to data portability, right not to be the subject of an individual automated decision (including profiling).

When data subjects present requests to TRACKFORCE as Processor to exercise their rights, TRACKFORCE must send these requests as soon as they are received by email to the Client’s email address as shown on its profile.

Clause no. 2-8: Notification of personal data breach

As Processor, TRACKFORCE will notify the Client as Controller of any personal data breach without undue delay in accordance with article 68 of the UK GDPR, and by e-mail to the Client’s contact e-mail address as shown on its profile.

This notification will be accompanied by all relevant documentation to enable the Client as Controller, if necessary, to notify this breach to the supervisory authority, in this case the the Information Commissioner’s Office  (ICO).

Clause no. 2-9: Assistance of TRACKFORCE as Processor to the Client as Controller in its data protection obligations

As Processor, TRACKFORCE will assist the Client as Controller in case of data protection impact assessment or consultation of the supervisory authority (ICO).

The services set out in this Clause 2-9 will be provided by TRACKFORCE under the particular financial and time conditions to be agreed in advance between the Client and TRACKFORCE.

Clause no. 2-10: Security measures

Insofar as article 66 of the UK GDPR stipulates that each controller and each processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data, each Party undertakes, insofar as the personal data for which it is responsible is involved, to implement measures designed to:

  • Prevent unauthorised processing or unauthorised interference with the systems used in connection with it ;
  • Ensure that it is possible to establish the precise details of any processing that takes place ;
  • Ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and ;
  • Ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions.

Clause no. 2-11: Fate of data

TRACKFORCE undertakes to destroy personal data at the end of its retention period determined according to the nature of said data, it being recalled that the Client must regularly make its own backups using the software tools made available on the Guardtek Platform.

Clause no. 2-12: Data Protection Officer

TRACKFORCE communicates to the Client as Controller the name and contact details of its Data Protection Officer, hereinafter “DPO”, designated in accordance with article 69 of the UK GDPR, if the Client requests it.

Clause no. 2-13: Record of categories of processing activities

As Processor, TRACKFORCE declares it will keep in writing a record of all categories of processing activities carried out on behalf of the Client as Controller, containing:

  • The name and contact details of TRACKFORCE as Processor and of any other processors engaged by TRACKFORCE in accordance with section 59(3);
  • The name and contact details of the Client as Controller on behalf of which the Processor is acting;
  • Where applicable, the name and contact details of the data protection officer;
  • The categories of processing carried out on behalf of the Client as Controller;
  • Where applicable, details of transfers of personal data to a third country or an international organisation where explicitly instructed to do so by the Controller, including the identification of that third country or international organisation;
  • Where possible, a general description of the technical and organisational security measures referred to in section 66 of the UK GDPR.

Clause no. 2-14: Documentation

As Processor, TRACKFORCE makes available to the Client as Controller the necessary documentation to demonstrate compliance with all its obligations and to perform audits, including inspections, by the Client or another auditor it may have appointed, and contribute to these audits.

Clause no. 3: Obligations of the Client as Controller to TRACKFORCE as Processor

As Controller, the Client undertakes to:

  • Provide TRACKFORCE as Processor with the information and data listed in Clause 2-3 hereof.
  • Document in writing any instructions regarding the processing of data by TRACKFORCE.
  • Ensure, in advance and throughout the duration of the processing, compliance with the obligations stipulated by the UK GDPR.
  • Supervise the data processing, including conducting audits and inspections with TRACKFORCE.

Clause no. 4: Maintenance of non-contrary provisions of TRACKFORCE’s T&C 

These Data Processing Clauses supplement TRACKFORCE’s Terms and Conditions, the non-contrary provisions of which remain applicable.